Laws and Legal Issues with Data Mining
With the concept of data mining only being introduced in the 1990s and businesses only investing and utilizing it heavily within the last 15 years, it is not surprising that there are many questions that remain unanswered regarding the laws and regulations that apply to data mining. The laws that have had the most intersection with data mining are the Electronic Communications Privacy Act (ECPA) of 1986, the Fair Credit Reporting Act (FCRA) of 1970, and the Family Educational Rights and Privacy Act (FERPA) of 1974. While these laws have been used to answer some questions related to data mining, they were written at a time when people did not know that technology would grow at such an exponential rate. They did not know or foresee many of the issues that now need clear, unequivocal answers. New legislation and regulations are needed to address the array of issues currently being faced. The Federal Trade Commission has also weighed in on the issue, offering guidance and some oversight. Electronic Communications Privacy Act "ECPA" The Electronic Communications Privacy Act ("ECPA") was passed in 1986 and expanded and changed federal wiretapping and electronic eavesdropping guidelines. The goal of the ECPA was to strike a fair balance between the privacy concern of citizens and the real needs of law enforcement. Congress also sought to support the creation of new technologies by assuring consumers that their personal information would remain safe.” While this law talks about the requirements for law enforcement to access email, it does not address the issues of how people’s personal information are being transferred to third parties they are not even familiar with 12. Fair Credit Reporting Act "FCRA" The Fair Credit Reporting Act is a law put in place to protect consumers that forces credit reporting agencies to give access to their credit reports, so that any mistakes or errors are transparent, and consumers have the opportunity to have them fixed. The FCRA addresses the principle of “access/participation.” This principle is about a person’s ability to have access to their personal data to figure out if it is accurate. The principle is needed so that people can fix or correct information about them. Many collectors of information used in data mining, or “data brokers,” are third parties. They collect information not directly from consumers, but from the companies they are working with whom originally collected it. If a consumer could identify a data broker holding their information, they would still not have any legal recourse against them unless a contract were in place. The exception to this would be if the data brokers were acting as a credit reporting agency, which most data brokers ensure they do not meet, as then the FCRA does not become applicable to them 29. Family Educational Rights and Privacy Act "FERPA" and Google: “The Family Educational Rights and Privacy Act (FERPA) is a federal privacy law that gives parents certain protections with regard to their children's education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules.” This law requires schools or educational institutions to obtain written permission before giving children’s information that could personally identify them to anyone besides the parents 9. Google was in the news in March of 2014 for data mining and scanning millions of email messages sent and received by students who used its “Apps for Education” suite. At the time, Apps for Education had 30 million users worldwide and included Google’s popular email service, Gmail. Google acknowledged that they scan and index emails for a many reasons, including advertising. It bears mentioning that Google has the advertising function in Apps for Education turned off by default. This has a crossover effect with Google owning many companies including the popular video site YouTube, as well as Google +, and Google Search. While the data gleaned from email messages might not always be used to provide targeted advertising in Gmail, it can be used in Google’s other companies to provide targeted advertising to the same people based on the data mined out of their email. So how does FERPA apply here? The Department of Education has issued guidance that do not directly name Apps for Education, but do describe a very similar to Google’s and have said that “the provider may not use data about individual student preferences gleaned from scanning student content to target ads to individual students.” The problem with FERPA is that it does not define educational records clearly enough in today’s digital era (10). In response to the bad press, they were receiving Google announced a month later that would stop scanning student emails and turn off advertising in Apps for Education 11. The Federal Trade Commission: The FTC has indicated that they would like to see more regulatory oversight on data mining and would like to see Congress pass targeted legislation to do so. Although privacy and data mining related legislation has been proposed including the oversight and regulation of data brokers, nothing has passed to this date. The FTC has also said they would like to see data brokers that use data mining for marketing purposes create a website. This website would identify the data brokers to consumers, describe how they collect and use data, and also detail the rights and choices that are available to consumers regarding the data that the data brokers are maintaining on them. 29